War Exclusions: a significant bar to coverage for cyber attacks?
The ongoing litigation in Mondelez International, Inc. v. Zurich American Insurance Co. has been gaining significant attention in insurance circles. According to reports, Mondelez is asking an Illinois state court to determine whether a claim for losses Mondelez suffered during the 2017 NotPetya attack (the largest encrypted ransomware attack to date) is precluded by a ‘hostile or warlike action’ exception in a Zurich insurance policy. It appears that one of the central issues could be to what extent the attack can be attributed to a state actor - the NotPetya malware has been blamed on Russian operatives by both the US and British governments in the past. 1
Some reports have suggested that the policy provided by Zurich is a cyber policy. We understand that this is not the case and the dispute involves a property insurance policy. Zurich’s approach is therefore consistent with the stance taken by other insurers, namely that traditional insurance should not be relied upon to pay for cyber losses. We do not believe that an insurer would take a similar position under a cyber policy.
The Court of Appeal hands down a judgment in relation to the notification of circumstances under Professional Indemnity policies
The recent judgement of the Court of Appeal of England and Wales in Euro Pools plc (in administration) v Royal and Sun Alliance Insurance Plc has clarified certain issues around the notification of circumstances under professional indemnity insurance. The scope of notifications of circumstances can be of critical importance where they develop into claims or the payment of mitigation costs. In this case the dispute between the insured and insurer centred around whether claims for the payment of mitigation costs arising from the notification of circumstances attached to the first or second of two successive professional indemnity policies. The limit of indemnity of the first policy had been exhausted by previous claims and the insured was asserting that the claims should fall under the second policy. The Court found in favour of the insurer. Points of note from the judgment include: 2
- A provision in a professional indemnity policy which refers to circumstances that ‘may’ give rise to a claims sets a ‘deliberately undemanding test.’
- A notification need not be limited to particular events. It may extend to something as general as a regulatory warning about a class of business or a concern about work done by a former employee or prior entity. The insured may give a ‘can of worms’ or ‘hornet's nest’ notification; i.e. a notification of a problem, the exact scale and consequences of which are not known.
- An insured can notify a problem in general terms without fully appreciating its cause or its potential consequences (e.g. because the insured is not a technical specialist). If it does so, then the insurance will cover claims which have some causal connection to the problem notified.
- If there has been a proper notification of circumstances, any claim arising from those notified circumstances, will be considered to have been made within the requisite period of insurance. Any claim which arose consequently from the notified circumstances would also be deemed to arise from those circumstances but there must be some causal, as opposed to merely some coincidental, link between the notified circumstances and the later claim.
Australian Banks make large provisions for customer compensation
Some of the largest Australian banks have recently set aside significant amounts to cover customer compensation payments in the wake of the year-long Royal Commission inquiry into misconduct in several major areas of the Australian financial services industry. ANZ Bank and Westpac have recently announced more than A$1bn ($705m) in combined pre-tax provisions and Commonwealth Bank of Australia has recently set aside A$714m ($499m) (the bank has now set aside A$2.17bn in total). Compensatory payments to clients by financial institutions are generally covered under professional indemnity insurance, although the repayment of fees or profits are not. There are several other areas of financial lines insurance that may be able to respond to elements of regulatory investigations into misconduct, including legal costs cover for directors and officers in responding to inquiries into their conduct. 3
- The Financial Times, 1st May 2019 and 13th May 2019